IP address of spam/FW-1

Desai, Jason jase at SENSIS.COM
Tue May 20 15:43:57 IST 2003


Yes, SA allows you to decide which RBLs to use.  You can put these
preferences in your spam.assasin.prefs.conf file.  Check out
http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html.  Toward the
bottom of the page, search for RCVD.  There you can see how to add another
RBL that SA may not use.

Jason

> -----Original Message-----
> From: Avi Levin [mailto:avi at CAXTONRVH.COM]
> Sent: Tuesday, May 20, 2003 8:59 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: [MAILSCANNER] IP address of spam/FW-1
>
>
> Thanks, Jason.  I had turned off RBL checks in SA, figuring
> that MailScanner
> would do it, and have many more options/lists.  But I'll see
> how it goes
> with SA.  Have you found SA to allow you to decide which RBLs
> to use (I
> haven't looked into it much yet)?
> I think the IP address is harder to spoof, since the first
> hop for a spammer
> is frequently legit, and needs to see a valid source IP.  But
> I suppose
> someone could hack their mailer.  Still, although much of the
> spam I get has
> a spoofed sender domain name, the IP address seems to always
> be accurate,
> and a way to track the source.
>
> Thanks again for the tip.
> ---Avi---
>
> > > -----Original Message-----
> > > From: Desai, Jason [mailto:jase at sensis.com]
> > > Sent: Thursday, May 15, 2003 1:03 PM
> > > To: MAILSCANNER at jiscmail.ac.uk
> > > Subject: Re: IP address of spam
> > >
> > >
> > > This is one reason to let SpamAssassin do the RBL checks
> instead of
> > > MailScanner.  I believe that SpamAssassin will check all of
> > > the Received
> > > header.
> > >
> > > Also, I would think that the Received header that immediately
> > > precedes the
> > > Message-Id and From headers could easily be spoofed by a
> > > spammer, so you
> > > really can't trust it.
> > >
> > > Jason
> > >
> > > > -----Original Message-----
> > > > From: Avi Levin [mailto:avi at CAXTONRVH.COM]
> > > > Sent: Thursday, May 15, 2003 12:45 PM
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: [MAILSCANNER] IP address of spam
> > > >
> > > >
> > > > The IP address identified by Mailscanner (4.14-9) in the log
> > > > seems to be the
> > > > last host that handed off the message to my SMTP server.  In
> > > > other words,
> > > > the first "Received:" line in the envelope of each message.
> > > >
> > > > The problem I'm seeing with this, is that if I use
> > > > Checkpoint's FW-1 SMTP
> > > > proxy, or any other internal scanners, then MailScanner's
> > > reported IP
> > > > address is no longer that of the actual sender.
> > > >
> > > > Shouldn't the sender's IP address be the one that's
> > > identified on the
> > > > "Received: " header that immediately preceeds the
> > > > "Message-ID:" and "From:"
> > > > lines?
> > > >
> > > > And finally, which address is used for RBL and other
> list checks?
> > > >
> > > > Please let me know if you've got any insights into this.
> > > >
> > > > Thanks.
> > > > ---Avi---
> > > >
> > >
> >
>



More information about the MailScanner mailing list